30-2
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 30 Configuring Access Rules
Information About Access Rules
General Information About Rules
This section describes information for both access rules and EtherType rules, and it includes the
following topics:
• Implicit Permits, page 30-2
• Using Access Rules and EtherType Rules on the Same Interface, page 30-2
• Rule Order, page 30-2
• Implicit Deny, page 30-3
• Inbound and Outbound Rules, page 30-3
• Using Global Access Rules, page 30-4
Implicit Permits
For routed mode, the following types of traffic are allowed through by default:
• IPv4 traffic from a higher security interface to a lower security interface.
• IPv6 traffic from a higher security interface to a lower security interface.
For transparent mode, the following types of traffic are allowed through by default:
• IPv4 traffic from a higher security interface to a lower security interface.
• IPv6 traffic from a higher security interface to a lower security interface.
• ARPs in both directions.
Note ARP traffic can be controlled by ARP inspection, but cannot be controlled by an access rule.
• BPDUs in both directions.
For other traffic, you need to use either an access rule (IPv4), an IPv6 access rule (IPv6), or an EtherType
rule (non-IPv4/IPv6).
Using Access Rules and EtherType Rules on the Same Interface
You can apply both access rules and EtherType rules to each direction of an interface.
Rule Order
The order of rules is important. When the adaptive security appliance decides whether to forward or drop
a packet, the adaptive security appliance tests the packet against each rule in the order in which the rules
are listed. After a match is found, no more rules are checked. For example, if you create an access rule
at the beginning that explicitly permits all traffic for an interface, no further rules are ever checked.
You can disable a rule by making it inactive.
To Next Page
Loading...
Need help?
General
